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ABSTRACT 

Distributed Denial-of-Service (DDoS) attacks are a major 
problem in the Internet today. In one form of a DDoS at- 
tack, a large number of compromised hosts send unwanted 
traffic to the victim, thus exhausting the victim's resources 
and preventing it from serving its legitimate clients. One of 
the main mechanisms that have been proposed to deal with 
DDoS is filtering, which allows routers to selectively block 
unwanted traffic. Given the magnitude of DDoS attacks 
and the high cost of filters in the routers today, the suc- 
cessful mitigation of a DDoS attack using filtering crucially 
depends on the efficient allocation of filtering resources. In 
this paper, we consider a single router, typically the victim's 
gateway, with a limited number of available filters. We study 
how to optimally allocate filters to attack sources, or entire 
domains of attack sources, so as to maximize the amount 
of good traffic preserved, under a constraint on the num- 
ber of filters. We formulate the problem as an optimization 
problem and solve it optimally using dynamic programming, 
study the properties of the optimal allocation, experiment 
with a simple heuristic and evaluate our solutions for a range 
of realistic attack-scenarios. First, we look at a single-tier 
where the collateral damage is high due to the filtering at 
the granularity of domains. Second, we look at the two-tier 
problem where we have an additional constraint on the num- 
ber of filters and the filtering is performed on the granularity 
of attackers and domains. 
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1. INTRODUCTION 

Distributed Denial-of-Service attacks (DoS) are one of the 
most severe and hard to solve problems on the Internet to- 
day. During a DDoS attack, a large number of compro- 
mised hosts coordinate and send unwanted traffic to the vic- 
tim thus exhausting the victim's resources and preventing 
it from serving its legitimate clients. For example, victims 
of DDoS attacks can be companies that rely on the Internet 
for their business, in which case DDoS attacks can result 
in severe financial loss or even in the company quitting the 
business [1]. Government sites (e.g. wwwl.whitehouse.gov) 
and other organizations can also be victims of DDoS attacks, 
in which case disruption of operation results in a political 
or reputation cost. 



Several approaches and mechanisms have been proposed to 
deal with DDoS attacks; this is still an active research area 
with ongoing work. One body of anti-DDoS work has fo- 
cused on developing DDoS detection mechanisms: how to 
quickly identify that an attack is ongoing, how to distinguish 
the legitimate from the attack traffic, and how to identify the 
paths where attack traffic is coming from. Another body of 
work focuses on DDoS defense mechanisms to mitigate the 
damage inflicted by a DDoS attack; defense mechanisms can 
be proactive, such as capabilities [11] [10] and/or re-active, 
such as filtering at the routers [8]. 

In this work, we are particularly interested in filtering mech- 
anisms, which are a necessary component in the anti-DDoS 
solution. We consider the scenario of a bandwidth flood- 
ing attack, during which the bottleneck link to the victim 
is flooded with undesired traffic. To defend against such 
an attack, the victim must identify undesired traffic (using 
some identification mechanism which is not the focus of this 
work) and request from its ISP/gateway to block it before 
it enters the victim's access link and causes damage to le- 
gitimate traffic. Even assuming a perfect mechanism for 
identification of attack traffic, filter allocation at the vic- 
tim's gateway is in itself a hard problem. The reason is 
that the number of attack sources in today's DDoS attacks 
is much larger than the number of expensive filters (ACLs) 
at the routers. Therefore, the victim cannot afford to selec- 
tively block traffic from each individual attack source, but 
instead may have to block entire domains; in that case le- 
gitimate traffic originating from that domain is also unnec- 
essarily filtered together with the attack sources. Clearly, 
the successful mitigation of a DDoS attack using filtering, 
crucially depends on the allocation of filtering resources. In 
this paper, we do not propose a new architectural solution to 
DDoS. We study and optimize the use of an existing mech- 
anism - filtering. Filters can be placed at a single gateways' 
tier, so as to maximize the preserved good traffic; the core 
insight in the single-tier problem is that the coarse filtering 
granularity makes co-located attack and legitimate traffic 
to share fate. This single-tier problem turned out to be a 
knapsack problem, with a greedy solution [21]. The insight 
in the multi-tier problem is between the preserved goodput 
and the number of filters used. In addition, we propose a 
simple two-tier heuristic and we evaluate our solution for 
three realistic attack scenarios, based on data sets from the 
analysis of the Code Red [16] and Slammer [17] worms, the 
Prolexic Zombie Report [19], and statistics on Internet users 
[20]. 



The structure of the rest of the paper is as follows. In sec- 
tion 2, we give more background on the problem and we 
discuss related work. In section 3, we formulate the prob- 
lem of optimal filter allocation on a single tier (i.e. gateways 
or attackers tier) and the more general problem of filtering 
at both the gateway and attacker tier. We solve the prob- 
lem optimally using dynamic programming. We study the 
properties of the optimal solution and develop a low com- 
plexity heuristic and compare its performance to that of the 
optimal solution through simulation in section 4. In section 
5, we conclude the paper and discuss open issues and future 
work. 

2. BACKGROUND 
2.1 The DDoS Problem 

There are several ways to launch DDoS attacks, which can 
be mainly classified into the following types. First, there are 
vulnerability attacks, when some vulnerability in the OS of 
the targeted machine or in the network stack is exploited. 
This causes the victim's machine to crash once it receives 
packets that exploit this vulnerability. In this paper, we 
are not interested in this type of attack, because, once the 
vulnerability is detected and patched, the victim is immune 
to such attacks. Second, there are attacks that exploit a 
protocol design vulnerability. 1 Such attacks can be fixed 
by modifying the existing protocols, and by having firewalls 
check for adherence to protocol specifications; we are not 
concerned with this type of attack either. The last type of 
DDoS attacks aim at resource consumption. They exhaust 
critical resources in the victim's system such as CPU time, 
memory or network bandwidth, thus causing the disruption 
of legitimate service. In this paper, we are concerned with 
a DDoS attack on network bandwidth, also called flooding 
attack. A flooding attack is very easy to launch as it only 
requires sending a certain amount of traffic that overwhelms 
the link connecting the victim to the Internet. 2 An exam- 
ple of flooding attack is shown in Fig. I. A victim (V) is 
connected to the Internet through ISP-V, using an access 
link with bandwidth C. The victim is under a DDoS attack 
from several attack sources hosted by other ISPs, such as 
ISP-A. The total traffic coming from those sources exceeds 
the total capacity C. 



2.2 Filtering 

Filtering is one of the mechanisms that can help to mitigate 
DDoS attacks and stop the unwanted traffic from reaching 
the victim and consuming network bandwidth along the way. 
For example, in Fig. I, the victim can send a filtering request 
to its own ISP-V to block all traffic from ISP-A to the victim. 
ISP-V responds by placing filters at appropriately chosen 
gateway(s), e.g. GW-V or GW-B. In this paper, we are not 
concerned with choosing the best gateway within an ISP 

1 An example is the well-known TCP three way handshake 
protocol, which usually allocates resources on the server side 
in the second step to the handshake. An attacker launches a 
large number of uncompleted handshakes and overloads the 
victim's connection tables. 

2 It could also be a problem to ISPs or networks on the way 
of the attack, but we are not concerned with these cases 
because they generally are over provisioned 




Figure 1: The victim (V) is connected to its ISP 
(ISP-V) through an access router (GW-V ) and an 
access link (with bandwidth C). GW-B is a border 
router of ISP-V. Attackers are located in various 
ASes behind the attack gateways; the total traffic 
exceeds the capacity C. 

for placing the filters; instead we look at a single gateway, 
say GW-V, and how to allocate filters to attackers or attack 
domains. 

By "filters", we refer to access control lists (ACLs), which 
allow a router to match a packet header against rules. E.g. 
in the DDoS case described above, the router checks if the 
packet is going to victim V and coming from attacking host 
A; or the router might check the source IP address and filter 
out any packet coming from the entire ISP-A. Packet filters 
in routers are a scarce, expensive resource because they are 
stored in the expensive TCAM (ternary content addressable 
memory). A router linecard or supervisor-engine card typi- 
cally supports a single TCAM chip with tens of thousands 
of entries. So, depending on how an ISP connects its clients 
to its network, each client can typically claim from a few 
hundred to a few thousand filters - not enough to block the 
attacks observed today and not nearly enough to block the 
attacks expected in the near future. We formulate two fil- 
tering problems: the single-tier and the two-tier filtering, 
depending on the granularity of packet filtering (or equiv- 
alently, the levels of the attack graph considered). In the 
single-tier case, we are interested in filtering entire attack 
gateways, a task for which there are enough filters today; in 
this context, we seek to filter out traffic so that the total traf- 
fic arriving at the victim is below the available bandwidth, 
while maximizing the preserved legitimate traffic. In the 
two-tier problem, we are interested in filtering not only at- 
tack gateways but also individual attackers, a task for which 
there are not enough filters in a single router today; the 
number of filters becomes then an additional constraint. 

2.3 Related Work 

The DDoS problem has been an active research area in re- 
cent years and different aspects have been addressed; a tax- 
onomy of attacks and defense mechanisms can be found in 
[2]. Here we review only aspects related to our work. 



Our work relies on existing mechanisms to be able to identify 
the attack traffic, distinguish it from the legitimate traffic 
and trace its approximate path back to the attack source 
[3] . The main difficulty in path identification lies in dealing 
with source IP address spoofing. 3 Other mechanisms for 
path identification and traceback include probabilistically 
sending ICMP messages [5]; mechanisms based on hashing 
[6] or packet marking [7]. 

In this work, we focus on filtering at a single router, typically 
at the victim's gateway. Looking at the bigger picture, sev- 
eral mechanisms have been proposed to enable filter propa- 
gation as close to the attack source a possible. For example, 
Pushback [8] enables routers to propagate filtering upstream 
hop-by-hop, at the router-level. AITF [9] proposes to com- 
municate filtering information from the victim upstream to- 
wards the attack domain, but at the granularity of AS, as 
opposed to router. 

Filtering is not the only mechanism for mitigation of DDoS 
attacks. Some of the proposed approaches revisit the basic 
assumption of the Internet architecture, stating that every 
host can send to any other host, without requiring permis- 
sion of the receiving host. For example, capabilities which 
propose that tokens are obtained before establishing a con- 
nection with a destination, and that these token are in- 
cluded in each packet [10] [11] [12] This proposal requires 
changing the routers on the Internet and adding new servers 
and changes the whole Internet architecture. Other pro- 
posals use overlay mechanisms to implement a similar con- 
cept which is to restrict communication to the victim only 
through some known well provisioned overlay nodes which 
can filter and detect attacks [13] [14]. 

Using filtering could provide a quick solution or first line 
of defense to DoS attacks, until a permanent one is devel- 
oped and is already used today in commercially available 
systems and anti-DoS services [15]. The downside of filter- 
ing is that its performance heavily depends on being able 
to identify attack traffic and distinguish it from legitimate 
traffic, which is not an easy task. However, it is an avail- 
able, reactive mechanism that can be used in conjunction 
with other approaches. 

Finally, in this paper, we rely upon data from analysis of 
worms, to construct realistic attack scenarios. Internet worms 
are older than DDoS attacks, but are relevant for studying 
such attacks because they are used as a tool to infect and 
compromise hosts on the Internet with the attack clients. 
The Code Red [16] worm is one well-known worm from 2001, 
which contained code to launch a DoS attack on the website 
(wwwl.whitehouse.gov), which did not succeed. Recently, 
several other worms have been caused huge financial losses, 
such as Slammer [17], MyDoom, Flash worms [18] and others 
and have attracted a lot of researcher's attention. Prolexic 
[15] is also regularly publishing a very informative "Zombie 
Report", on the most infected hosts per country, network 
service-provider and other meaningful groupings [19]; these 
data are collected from actually launched DDoS attacks. A 

3 Because ingress filtering [4] is not widely adopted, it is 
easy to spoof the source IP address of any packet. However, 
most attack tools do not need to spoof, because of the large 
number of attackers, it is useless to spoof. 



detailed characterization of DDoS attacks is much needed as 
input for testing and evaluating the effectiveness of proposed 
solutions. 

3. FORMULATION OF OPTIMAL ALLO- 
CATION OF FILTERS 

3.1 General Discussion 

In general, one might consider allocating filters at any level 
of the attack graph, see Fig.l. There is clearly a trade off 
between filtering granularity (to maximize goodput) and the 
number of filters. If there were no constraints on the number 
of filters, the maximum throughput of good traffic (goodput) 
would be achieved by allocating filters as close to individ- 
ual attackers as possible. The gateway in question (GW-V) 
faces the following tradeoff. Ideally, GW-V would like to 
filter out all attackers and allow all good traffic to reach the 
victim. Unfortunately, in a typical DDoS attack, there are 
not enough filters to individually filter all IP addresses of 
attack hosts. A solution is to aggregate attack sources into 
a single filter; in practice, there are enough filters available 
to filter at that granularity. E.g. GW-V could summarize 
several attack sources coming from the same domain, e.g. 
behind GW-1, into a single rule and filter out the entire do- 
mains, as shown in Fig. 2. However, there is also legitimate 
traffic coming from each domain. Therefore, filtering at the 
granularity of attack gateway-tier causes "collateral" dam- 
age to legitimate traffic that falls into the range of the IP 
addresses described by the filter. This problem, referred to 
as the "single-tier filtering", is studied in section 3.2 so as 
to preserve the maximum amount of legitimate traffic while 
meeting the capacity constraint. This turns out to be a 
knapsack problem that can be solved by a greedy algorithm 
(shown in Algorithm 1). 

In practice, there are more filters (F) than attack gate- 
ways (N < F), but less filters than individual attackers 
(F < X^i=i Mi) (see Fig. 3). Filtering at the gateway level 
is feasible but causes the collateral damage discussed above, 
due to its coarse granularity. Filtering at the attacker's level 
would preserve the maximum possible throughput but it is 
not realistic (due to the high number of attackers as well 
as due to spoofing); we still consider it as an upper bound 
for performance. A practical and effective compromise be- 
tween the two extremes can be the two-tier filtering, shown 
in Fig. 3. In the two-tier filtering, we can choose to filter 
either at gateways' granularity (e.g. filter 1 in Fig. 3) or at 
attackers' granularity (e.g. filter 2 in Fig. 3). The optimal 
allocation of filters to individual attack sources, or to entire 
attack gateways, depends on the characteristics of the at- 
tack (distribution and intensity) as well as on the number 
of available filters. Furthermore, the successful containment 
of the DDoS attack crucially depends on the optimization 
of the filter allocation. 

3.2 Single-Tier Allocation 

The single-tier scenario is shown in Fig. 2. There are N at- 
tacking gateways, each generating both good (G») and bad 
(Bi) traffic toward the victim; the total traffic toward the 
victim exceeds its capacity C. Gateway GW-V allocates fil- 
ters to block the attack traffic towards V. There are enough 
filters to allocate to the N gateways. The objective is to 
allocate filters to limit the total traffic below the available 
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Algorithm 1 Greedy Algorithm for the Single-Tier. 

Q . 

• Order nodes in decreasing order Q + 3 B . W.l.o.g. j — 
1,2, ..N from largest to smallest efficiency. 

• Find the critical node c s.t.: X^=i _1 Gj + Bj < C and 

>:; '.<■■, ■ i>, c 

• Allocate filters to nodes i — 1,2, ...N as follows: 

— Xj = 1 for j = 1, 2, ..c — 1 (allow to pass) 



(rate limiter) 



Figure 2: Single-Tier Filtering Problem 



G a +B c 

Xj = for j = c + 1, ..n (filters) 



capacity, so as to maximize the amount of legitimate traffic 
that is getting through to the victim (because this is what 
the victim cares about, e.g. revenue for a web server). 

Let us use Xi — 1 and Xi — to indicate whether we allow 
or block all traffic from gateway i. The problem of optimal 
allocation of filters is to choose {xi}f : 



Y^Gi ■ Xi 



s.t.^{G l +B l )-x l <C 
and x r e {0, l},i = 1, 2, ..N 



(1) 



We noticed that the filter allocation problem is essentially 
a 0-1 knapsack problem [21]. Recall that in the knapsack 
problem, we choose some among N objects, each with profit 
Vi and a weight Wi, so as to maximize the total profit, sub- 
ject to a total weight constraint. In our case, the objects 
are the attacking nodes with profits and weights Gi and 
d + Bi respectively; and there is a constraint C on the 
victim's bandwidth. This is well-known to be a computa- 
tionally hard problem. However, we need computationally 
efficient solutions, because the filter allocation should be de- 
cided in real-time during the attack. 

The continuous relaxation of the problem (where x is no 
longer binary, but instead < Xi < 1) can be interpreted as 
placing rate-limiters: we allow ratio Xi of the traffic coming 
from node i to get to the victim. This corresponds to the 
fractional knapsack problem, which can be solved optimally 
using a greedy algorithm [21]. The algorithm in Algorithm 
1, shown below, sorts nodes in a decreasing order of effi- 
ciency G °l B , 4 and greedily accepts (an = 1) nodes with the 
maximum efficiency, until a critical node c, which if allowed 
will exceed the capacity. Traffic from all remaining nodes is 



4 Technically, maximizing ^ Q G ^ B is not the same as max- 
imizing ~}2 Gi . However because the optimal solution has 
X] d + Bi ~ C, it is the same in practice. 



Notice, that it is impractical to allocate rate-limiters to 
all attacking nodes, because rate-limiters are expensive re- 
sources and require keeping state. Fortunately, the opti- 
mal solution of the fractional problem turned out to be 
(x±, ...x c -!,x c ,x c+1 , ...,x N ) = (1,-1, x c -i,0, ...0), thus us- 
ing C — 1 filters and exactly one rate-limiter, which matches 
well current router resources. 

3.3 Two-Tier Allocation 

The two-tier problem is the following. Consider iV attack 
gateways and Mi attack hosts behind attack gateway i, i.e. 
the last two tiers in Fig.l. Each attacker contributes both 
good (Gij) and bad traffic (By), i = l,2..N,j = 1,2.. .Mj. 
Xij G 0, 1 depending on whether we allocate a filter to 
attack-host j behind gateway i. i, £ 0,1 depending on 
whether we allocate a filter to attack- gateway i; if Xi — 0, 
then all traffic originating behind GW-i is blocked, and there 
is no need to allocate additional filters to attackers (i, j),j — 



The problem is how to choose {xi}'s, {xij}'s, given the con- 
straints C on the victim's capacity and on the available num- 
ber of filters F at the gateway: 



max 



^ ] Gij ' Xi ■ Xij 



i=N j-Mi 

s.t. S~] /J (Gij + Bij) ■ Xi - Xij < C 

i=l J = l ( 2 ) 

5^(1 - Xi ) + ^(1 -Xij)<F 

where Xi £ {0, 1}, i = 1, 2, ..N 
and x^ e {0, 1}, j = 1, 2..., Mj 



The two-tier problem is harder than the single-tier one: it 
is a variation of the cardinality-constrained knapsack [21], 
and the optimal solution (in O(NMF)) cannot be found 



If only filters are allowed, we can choose x c = so that the 
total traffic does not violate the capacity constraint of the 
congested link. 
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and {n}; x < f niters are assigned to the new gateway 
n and the remaining / — x filters are assigned to the pre- 
vious gateways {1,2, ..n — 1}. The x filters assigned to 
GW n axe used to block the x worst attackers. Therefore, 
Ej=o K n i x ) bad traffic is blocked and the remaining C(n) — 
J2jZo b ( n ' x) = Gn + JjjZ^+i H n > x ) traffic goes through 
(gwn un filtered in line 24), consuming part of the total ca- 
pacity c. The remaining f — x filters are optimally assigned 
to gateways 1, 2, ...n — 1. Recall that we have previously ob- 
tained and stored the optimal solutions JJJ_ l (c, /) consider- 
ing only gateways {1, 2, ...n — 1}, for all c and /; therefore, 
we already know the best allocation of / — x filters across 
gateways {1, 2, ...n — 1} so as to get the maximum goodput 
T^c - (C(n) - b(n, x)),f - x). 



Figure 3: Two-Tiers Filtering Problem 



We consider all possible values of x and choose the value 
among < x < f that gives the maximum goodput (line 33 
in Alg.2). There are some values of x that deserve special 
attention: 



efficiently. We formulate the problem using dynamic pro- 
gramming and obtain its optimum solution as a base line 
for comparison, but we point out that the dynamic pro- 
gramming algorithm is computationally very expensive and 
can not be used in real time. 

Definitions. Consider the two-tiers configurations, shown 
in Fig. 3. There are N gateways. A gateway n gener- 
ates legitimate traffic G n and also attack traffic from M n 
attack sources; w.l.o.g. consider that the attacker sources 
are ordered from worst to best: b(n, 1) > ... > b(n,M n ). 
Therefore, each gateway generates total traffic C n ~ G n + 
Ef-LiK 72 !*)- Before filtering, the total traffic exceeds the 
victim's access bandwidth (capacity) C: E=i Gn > C. We 
are interested in placing F filters across the N gateways, so 
as to bring the total traffic below C, while maximizing the 
total goodput after filtering Tn(C,F). T^(C,F), can be 
computed recursively as summarized in Algorithm 2. The 
recursion proceeds considering one more gateway at a time; 
the order in which gateways are considered is not impor- 
tant. Let T*(c,f), for i < N, be the maximum goodput of 
the smaller problem, i.e. with optimal placement of / < F 
filters considering only gateways {1, 2, ..i} and capacity up 
to c < C. Assume that, in previous steps, we have already 
obtained and stored the optimal solutions Ti(c, /) consider- 
ing only gateways 1, 2, ...n — 1, for all values of c = 0, 1, ..C 
and / = 0, 1, ...F. Then T*(c, /) can be computed from the 
Bellman recursive equation: 



T n *(c, /) = max T^c - (C n - V b(n,j)), f - x) + G n 

x=0,l,..f £ — ' 
3=0 

(3) 

This recursive equation is at the heart of Alg.2 (see line 23). 

Intuition. In step n, we consider gateway n together with 
the previous gateways 1,2, ...n — 1. The / available filters 
can be split among two groups of gateways: {1,2, ..n — 1} 



• x = means that we assign no filters to gateway n, 
in which case our best goodput is the same as be- 
fore, enhanced by the goodput of the current gateway: 
T*_ x {c ~C n ,f) + G n (maxO in line 12 of Alg. 2). 

• x = 1 means that we assign exactly one filter to gate- 
way n, either at attacker or at gateway level. If we 
assign this one filter to an attacker, it should be the 
worst attacker b(n, 1) (line 16 in Alg.2). If this one 
filter is assigned to the entire gateway, then the entire 
traffic C n from gateway n is filtered out and all good- 
put comes from the previous gateways T^_ 1 (c, f — 1) 
(see line 18 of Alg.2). We need to compare the two 
possibilities and choose the one that maximizes the 
overall goodput (mail in line 19 of Alg.2). 

• We consider increasing values of x until we either run 
out of filters (a; = /) or we filter out all attackers in 
this gateway (a; = M n ). Therefore, x can increase up 
to min{f,M n } (line 23 in Alg. 2). 

Other technicalities in Algorithm 2 include the obvious ini- 
tializations (lines 1-3) and assigning T* = to infeasible 
problems (line 3-2™ case and line 28). 

Optimal Substructure. The reason that we are able to com- 
pute the optimal solution using dynamic programming (DP) 
is because the problem exhibits the optimal substructure 
property. 

Proposition. If a* is the optimal solution for problem 
(n, c, /), then it contains a part n -i} C a* (correspond- 
ing to the filters assigned to the first n-1 gateways) which 
must also be the optimal solution for the smaller problem 
(n - 1, C - {Cn - Ej=S Hn, x)),f-x). 

Proof, a* is the optimal solution for problem (n, c, /), 
achieving maximum goodput T*(c, /). 6 This solution (filter 

6 a* will have the form of a vector (1, 0, 0, 0, 1); 0/1 de- 
scribes whether an attacker or gateway has been filtered out 
or not; the attackers and gateways should be listed in the 
same order they are considered in the DP. 



Algorithm 2 Dynamic Programming (DP) Formulation for 
the Two- Tiers Filtering Problem 



3: T*(:,/ = 0) = 



9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 



for n = 1,2, ..N do 
T n *(c = 0,:) = 0^ 

X)n=l G " 

^0 

end for 



if Eli G„ < C 
otherwise 



for n G [1, N] do 
for c G [1,(7] do 
for / G [1,F] do 

/* a; out of / filters are assigned to GW n */ 

/* assign x = filters to GW n * / 
max0^T:_ 1 {c-C n ,f) + G n 

/^assign x = 1 filter to GW„*/ 
/* ...either at gateway level*/ 
maxl gw = T*_! (c, / - 1) 



/* ...or at attacker level*/ 
maxlatt = T*_ 1 (c - (C„ - b(n, 1)), / - 
maxl = max{rnaxl gw , maxlatt} 
max = max{max0, maxl} 



1) + G„ 



/* assign x > 2 filters at attack level. */ 
for x G [2, min(f, M„)] do 

gwn un filtered ■= C„ - YTj = \ H n > j) 
if C > gWUun filtered then 

temp := T n -!*(c~ gwn un futered, f-x)+G„ 
else 

temp := 
end if 

if temp > max then 

max := temp 
end if 

T„(c, f) := max 
end for 
end for 
end for 
end for 



assignment) must have two parts a* — 
The first part, a*, 12 7 , describes how filters are placed 

across gateways {1, 2, ..n — 1}. The second part, a^ n y S de- 
scribes how filters are assigned to gateway {n} only. Let's 
look carefully at the optimal solution a*: it assigns some 
number of filters (x) to gateway n and the remaining ones 
(f—x) to gateways {0, 1, ..n— 1}. This means that Ej=o K n > x ) 
out of C n traffic is filtered out at gateway n and the re- 
maining C„ — X^=o °( n > x ) i s l e ft unfiltered. In summary, 
the optimal solution can be partitioned in two parts a* = 
( a {i,2..n-i}> a {n}) tnat contribute to the maximum through- 
put: 



T n *(c,/) :=T| 



{1,2- 



-1} 



Assume that b, and not a*^ 2 „_i\, is the optimal filter as- 



7 a vector (1, 0,0, ...) starting from the left of vector a* 
8 the remaining part at the right side of vector a* 



signment for the smaller problem (n— 1, C— (C„— Ej=o ^( n ' 11 
a). Then, by definition, of the optimal filtering, it achieves 
larger goodput than the substructure 2.. n _i} C a*: T*_ x : 
T|. > T| . 



{1,2.. 



-1} 



Now, we can construct another solution d for the larger prob- 
lem (n, c, /) as follows. Replace the first part a{i,2..n-i} of 
a* with b, for assigning f — x filters up to gateway n — 1, 
which would fit within capacity C — (C n ~ Ej=o ^( n > :r ))- 
Then, do exactly the same assignment as the DP would do, 
in Eq. 3, for assigning the x remaining filters to gateway 
n. This newly constructed filter assignment d has two parts 
d = (6, d{„}) that contribute to the total goodput. 

The first part 6 is over gateways {1, 2, ..n — 1}. We con- 
structed this part to be the same as the optimal assignment 
of / — x filters over gateways {1, 2, ..n — 1}, with available 
capacity C — (C n — Ej=o ^( n ' a; ))- Therefore it achieves op- 
timal goodput T|, := T*_ ± >T\ , 

° "{1,2. .71-1} 

The second part di is an assignment over only gateway {n}. 
We constructed it to do exactly what the DP would do at 
step n with x available filters: either filter out the worst 
x attackers of gateway n (i.e. attackers b(n,l)...b(l, x)) or 
filter out the entire gateway (if x = 1 is assigned at gateway 
level). Therefore, d?, is by construction is the exact same 
assignment as the DP's: d-z — d{„}» and results in the same 
goodput: T 



-{„} 



Therefore, we constructed a solution d — (6, <fe) which per- 
forms better than the DP solution a*: 



T =T\ 

Id 



+ T 



> T 



+ T 



= T\ 



{1,2.- 



-{„} 



(4) 



This is a contradiction because we assumed that a* was an 
optimal solution for the bigger problem (n, c, /) . Therefore 
the substructure o| li of the optimal solution a* has 
to be the optimal solution for the smaller problem. □ 

Cost of the Dynamic Programming. Computing the optimal 
solution value T*(C,F) using dynamic programming (DP) 
can be seen as filling up a table of size N ■ C ■ F. For real- 
istic large values of N, C, F this can be prohibitively large, 
both from a run-time and from a memory point of view. 
While the number of gateways N can be moderate, the ca- 
pacity C (normalized in units of the smallest attack rate) 
and F (in the order of thousands or tens of thousands) can 
be quite large in practice. An idea might be to work with 
coarser increments of C and F - which brings us already 
in the realm of heuristics for the DP, which we need to ex- 
plore anyway. Nevertheless, computing the optimal solution 
is still important as a benchmark for evaluation of any pro- 
posed heuristic. 

3.3.1 Properties of the Optimal Solution 

From the simulations of the dynamic programming, in sec- 
tion 4.4, we made the following preliminary observations on 
the behavior of the optimal solution. 
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Figure 4: Improvement from using optimal filtering 
for various attack intensities (% of attacking nodes, 
B/(G + B)). We consider n — 1000 attacking nodes, 
all sending at the same rate (10Mbps). 

Comparison to single-tier filtering. Let Tjv(C, /), Gn(C, /), 
An(C, f) be the maximum goodput achieved by the optimal 
placement of / filters across A^ gateways, considering multi- 
tier placement, single-tier placement at gateways and single 
attackers respectively. Given the same attack scenario: 



Figure 5: Improvement from using optimal filtering 
for various % of nodes with high intensity, and var- 
ious % of nodes sending at higher rate (100Mbps). 
H = 0.9 is fixed for all attacking nodes. 

Let us control the intensity of the attack through a simple 
model with three parameters, (i) the bandwidth at which 
each node sends is a configurable parameter, (ii) x% of the 
nodes that are attacking and the remaining (100-x)% send 
legitimate traffic (iii) attacking nodes have all the same bad- 
to-overall traffic ratio H — B ^_ G ; the legitimate nodes have 
ratio 1 — H of bad to overall. 



• T N (C,f) > A N (CJ) and T N (CJ) > G N (CJ). This 
is expected, because by definition, the optimal solution 
of the multi-tier problem considers placing all filters at 
gateway and attack level, as special cases. 

• G* < T < A* where: G* is the optimal filtering for 
single gateway tier and A* is the optimal filtering for 
the single attack level filtering. Single tier filtering 
does not have a constraint on the number of filters 
and is only constrained by the "collateral damage" on 
legitimate traffic. 

• As / 1", T converges to A* , the optimal solution for at- 
tacker's single tier, without a constraint on the number 
of filters. 

A preliminary note. The core tradeoff when we consider 
filtering a single gateway is whether we should filter it out 
entirely (thus filtering out both Gi and Bi) or we should use 
a certain number of filters / at attack-tier. How many filters, 
out of our total budget, does it worth spending on a gateway 
with traffic (Gi, b(i, 1), ...(6, n))7 Looking at the structure 
of the optimal solution, it seems to follow a threshold rule 
for deciding whether to filter out an entire gateway or not. 
This threshold depends on the attack distribution and on 
the number of available filters. We are currently working on 
formalizing this informal, but intuitive, observation. 

4. SIMULATIONS 

4.1 Single-Tier Artificially Generated Scenar- 
ios 

We systematically considered a wide range of scenarios and 
here we showcase some representative results. Let us fix the 
number A^ of attack nodes; we considered A^ = 10, 100, 1000. 



Fig. 4 shows the results for N = 1000 nodes, which all send 
at the same rate (10Mbps). We consider all combinations 
of x £ {0, 100}% and H G (0.5, 0.9) and we look at the 
difference in the % of good traffic on the congested link, 
before and after optimal filtering. The figure shows that 
there is always improvement, with the best improvement 
(40%) achieved when 50% of all nodes are attackers, sending 
at H = -gfg = 0.9. 

Then, we also vary the sending rate of each node. We ran- 
domly pick 10%, 50% or 90% of the nodes to have 10 times 
more bandwidth than the rest (i.e. 100Mbps). The reason 
we look at heterogeneous bandwidths is that a node should 
be filtered based not only on the ratio B , G , but also on its 
total contribution B + G to the capacity of the congested 
link. Fig. 5, shows that optimal filtering significantly helps 
in this case. 

4.1.1 Varying the number of attacking nodes 
In this section, we increase the number of nodes and we are 
interested not only in the % of good traffic preserved, but 
also in the number of filters required. We compare optimal 
filtering to 3 benchmark policies: 

• Uniform rate limiting: rate- limit all nodes by total fl a ff 
to make sure the total traffic does not exceed the ca- 
pacity. Notice, that this policy is equivalent to no fil- 
tering in terms of percentage of good to overall traffic 
on the congested link. 

• Random filtering: randomly place the same number of 
filters as the optimal policy. 

• Max-min rate limiting: admit the low-rate nodes first 
while allocating the same bandwidth to the high rate 
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Figure 6: Performance of Optimal Filtering for the 
attackers' one tier. 

ones; then distribute the excess capacity fairly among 
the unsatisfied remaining nodes. 9 

We vary the number of attackers (from 1000 to 50000) and 
we allocate filters to individual attackers (attackers' one-tier 
problem ) 10 . In Fig6, optimal filtering clearly outperforms 
the other policies: it preserves more good traffic using less 
filters. However, the number of filters increases linearly with 
the number of attackers, which clearly does not scale for a 
large number of attackers. 

To deal with this scalability issue, we solve the one-tier prob- 
lem at the gateway level. We consider again an increasing 
number of attackers (from 1000 to 50000), but this time 
attackers are evenly spread behind n = 1000 gateways (as 
in Fig. 1) and we allocate filters to gateways, not to in- 
dividual attackers. The results are shown in Fig. 7. The 

9 The motivation is to do a more informed rate limiting than 
the uniform rate-limiting, and also to be friendly to the 
nodes that emit at lower rates. 

l0 In this simulation scenario, we vary N, but we make sure 
that the total good traffic is below the capacity (in particular 

d = v), because this is the practical case of adequate 
provisioning. To construct such an assignment, we assign ^- 
over half of the nodes assigning to every other node and 
we randomly pick N/2 nodes and assign them bad traffic. 
We make sure that the total traffic emitted by each node is 
no more than its maximum rate (32, 64, or 128 kbps) 
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optimal policy again outperforms the others: it preserves 
significantly more good traffic while using much less filters. 
However, there are several differences from filtering at the 
attackers' tier, all due to the coarser filtering granularity. 
First, we need less filters, but the % of preserved traffic 
drops below 50% in the case of larger number of attackers. 
Second, the number of filters used by the optimal policy in- 
creases fast up to around 90% and then saturates, because 
otherwise all traffic would be blocked. Third, the max-min 
policy performs much worse now; also from a practical point 
of view, the uniform and max-min policies are less attrac- 
tive, because they use rate-limiters on all nodes, which is 
unrealistic. 

4.2 Realistic Attack Scenarios 

First, we used data from the analysis of two recent worms, 
Code- Red [16] and Slammer [17] to construct realistic attack 
distributions as in the single-tier section. Another source of 
data we used for the attack traffic distribution is Zombie 
Report [19] published by Prolexic [15]. This report contains 
the percentage of bots, grouped per country, network, ISP 
and other meaningful groupings; we use the data referring to 
the number of infected hosts per country. We assume that 
if a victim is under attack that traffic would come from ten 
countries. We consider the ten first countries and assume 
that they are behind ten different gateways 11 . The distri- 
bution of attack traffic for the Code-Red, Slammer Zombie 
scenario is summarized in the last column of Tables 1, 2 and 
3. 

We consider a typical victim - a web-server with 100Mbps 
access link. We also consider that each country is in a dif- 
ferent AS, thus is behind a different gateway; we then use 
the number of attack sources per gateway, as reported in 
[16, 17, 19] 12 and shown in the 4 th column of Table 1. 
For the legitimate traffic, we use the breakdown of Inter- 
net users per country reported in [20] and shown in the 3 rd 
column of Table 1, 2 and ??. We consider that both at- 
tackers and legitimate users send at the same rate (32kbps, 

Ll note that the first ten countries sum up to be 65% so we 
distribute the rest of the 35% of the attack traffic uniformly 
on these countries 

l2 In [16] 80% of the total attack comes from 10 countries; we 
distributed the rest 20% of the attack uniformly across the 
lower 8 countries. 



Table 2: Slammer Scenario: attack launched by a 
population of hosts infected by a worm similar to 
Slammer. 
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Table 3: Prolexic Scenario: attack launched by a 
bots population, similar to the one in the Prolexic 
Z ombie Report. 
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64kbps or 128kbps), corresponding to upstream dialup/dsl. 
Therefore, if the total number of legitimate users is N and 
that of attackers is M, then the amount of good and bad 
traffic coming from gateway i is Gi — N- (% users behind 
gateway i) ■ (rate) and Bi — M- (% users behind gateway 
i) ■ (rate). Our rationale is that the number of legitimate 
users is representative of the legitimate traffic coming from 
each country. We use the number/percentage of legitimate 
users, to compute the % of total good traffic generated by 
each gateway. The result is summarized in the third column 
in each attack scenario. 

In summary, we construct 3 realistic attack scenarios using 
data from [20] for the good traffic and from the analysis of 
code-red worm, slammer worm and in the Prolexic report 
for the bad traffic. The attack scenarios for the CodeRed, 
Slammer and Prolexic are summarized in Tables 1, 2 and 3 
respectively. 

4.3 Results For Single-Tier 

We simulated the Code- Red scenario, ( CodeRed I - columns 
3 and 4 of Table 1) for a number of legitimate users N from 
1000 to 10000 and attackers M from 1000 to 10000, and we 
compared the amount of good traffic preserved without any 
filtering and with optimal filtering. The results are shown 
in Fig. 8 for 32Kbps sending rate. (The results for 64kbps 
and 128kbps show similar trends and are omitted here). 

Fig. 8(a) shows the % of good traffic preserved. When the 




Total Number of Nodes 

(a) % Good Traffic Preserved after Filtering 



£ 701 





^ — * — y J__J — w T 








— «— Uniform & Max-Min (32 - 64 - 128Kbps) 

Optimal (32Kbps) 
— i — Optimal (64Kbps) 
—T— Optimal (128Kbps) 







10000 20000 30000 40000 

TotaL Number of Nodes 



(b) Number of filters used. 

Figure 7: Performance of Optimal Filtering for the 
gateways' one tier (1000 gateways, same number of 
attackers behind each gateway). 

total good traffic is less than the capacity of the congested 
link, 13 and the number of attackers was between 1000 and 
2000, optimal filtering preserves 100% of the good traffic. 
As the number of attackers increases, the % of good traffic 
preserved drops; e.g. for 1000 users and 10000 attackers, 
optimal filtering preserves 55% of the good traffic. This is 
because filtering at the gateway level is as if it is based on 
destination address or source address with granularity of do- 
mains; better results could be achieved if a finer granularity 
of filtering could be applied (i.e. source address of individual 
attackers), as in the multi-tier case later. 

Fig. 8(b) shows the % of the capacity of the congested link 
that consists of good traffic. When the number of attackers 
is comparable to the number of legitimate users (e.g. 10000 
attackers and 10000 users), we observe that the optimal fil- 
tering preserves 25% more good traffic, which increases the 
percentage of good traffic on the congested link from 50% 
to 75%. However, at the extremes where the number of le- 
gitimate users is much smaller (e.g. 1000 users and 10000 
attackers) or much larger (e.g. 10000 users and 1000 attack- 



When the good traffic exceeds the capacity, we cannot pre- 
serve 100% of good traffic any way. This can be seen as a 
combination of a flash-crowd and DoS attack. In the rest 
of the paper, we focus on cases where the good traffic does 
not exceed the capacity of the link (which is the case with 
normal operation and good provisioning). 
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Figure 8: Performance of Optimal Filtering for sce- 
nario Code Red I. 



Figure 9: Performance of Optimal Filtering for sce- 
nario Code Red II. 



ers) than the number of attackers then the optimal filtering 
increases the preserved good traffic only marginally ( 10%). 

The improvement achieved above was moderate, because all 
gateways had both good and bad traffic. If there are gate- 
ways that carry only good or bad traffic, then filtering would 
be able to better separate good from bad traffic and further 
improve performance. To demonstrate this, we modify the 
distributions of good and bad traffic per gateway, as shown 
m scenario Code Red II- 5 th and 6 th column of Table 1. This 
modification maps to real life scenarios in which a certain 
website has only customers in some, but not all, countries 
(ASs). Also it is reasonable to assume that the attacker will 
not be able to compromise hosts in ASes that span all coun- 
tries, thus there are some gateways with only bad or good 
traffic. 

We used the same simulation setup as for the Code-Red I 
scenario and the results are shown in Fig. 9. The trends 
are similar but the improvement is more substantial: the % 
of the capacity of the congested link used by good traffic 
improves up to 50% with optimal filtering. In the case of 
10000 legitimate users, optimal filtering allows only good 
traffic through the congested link until the capacity is used. 
The same behavior can be observed for 5000 legitimate users 
with 64Kbps and 128Kbps rates. 

4.4 Results For Two-Tier 

Figures 10, 11, and 12 show the performance of the optimal 
two-tier filtering for the Code-Red scenario, the Slammer 
scenario and the Zombie scenario respectively. In all three 



cases, we increase the number of attackers and we look at 
how well filtering can handle the increasing attack traffic. 
The performance metrics of interest are (a) the % goodput 
preserved after filtering and (b) the number of filters used in 
the process. As a baseline for comparison, we also show the 
performance of the optimal single-tier filtering at gateway 
and attack level. 

In all three figures, the optimal solution performs very sim- 
ilarly; although they are based on different distributions of 
good and bad traffic. As expected, filtering at attackers' 
level (plain red line) gives the upper bound for the preserved 
goodput. Indeed, one can preserved 100 % of the good traf- 
fic by filtering out each individual attacker 15 but requires as 
many filters as the number of attackers, which is not fea- 
sible in practice. Filtering at the gateway level (shown in 
dashed green line) provides a lower bound to the preserved 
goodput (because it filters out together both good and bad 
traffic behind the same gateway) but uses a small number of 
filters. Multi-tier filtering lies in the middle (blue curves in 
the middle): it provides a graceful degradation of preserved 
goodput, using only a small number of filters. The larger the 
number of filters available for multi-tier filtering, the closer 
the preserved goodput will be to the upper bound. 

In the previous simulations, we increased the number of at- 

14 Because the computation of the optimal solution through 
DP was computationally intense, we consider a relatively 
small number of k and n in order for the simulations to 
complete. 

15 assuming there are no hosts that produce both good and 
bad traffic 



Optimal Attack Single-Tier 
Optimal Two-Tiers, 50 Filters 
Optimal Two-Tiers, 50 Filters 
Optimal Single Gateways Tier 




90 100 110 120 130 140 150 

Number of Attackers 



(a) % Good Traffic Preserved 



Optimal Single Attack Tier 

— a — Optimal Two-Tiers, 50 Filters 
— 9— Optimal Two-Tiers, 50 Filters 
Optimal Single Gateways Tier 




90 100 110 120 130 

Number of Attackers 



(a) % Good Traffic Preserved 



- Optimal Attackers Tier 
-Optimal DP (50 Filters) 

- Optimal DP (70 Filters) 
Optimal GW Tier 




90 100 110 120 130 

Number of Attackers 



140 
120 
Jj 100 



- Optimal Single Attack Tier 
-Optimal Two-Tiers, 50 Filters 
-Optimal Two-Tiers, 70 Filters 
Optimal Single Gateway Tier 




90 100 110 120 130 

Number of Attackers 



(b) Number of filters used. 



(b) Number of filters used. 



Figure 10: Performance of the Optimal Multi-tier 
Filtering for the CodeRed scenario. 



Figure 12: Performance of the Optimal Multi-tier 
Filtering for the Zombie scenario. 
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Figure 11: Performance of the Optimal Multi-tier 
Filtering for the Slammer scenario. 



tackers but kept the number of legitimate users fixed. The 
total goodput was kept constant and below the capacity, 
that is why it was possible to preserve up to 100% of it. We 
now increase the amount of good traffic together with the 
number of bad traffic, so it is still consistent with the Zombie 
scenario in Table l. 16 In practice, such a scenario captures 
a combination of DDoS attack and a Flash Crowd. The re- 
sults are shown in Fig. 13. One can notice that while the 
good traffic is still below capacity, the curves are flat, mean- 
ing that we can preserve the good traffic. After the point 
that the good traffic exceeds the capacity, the performance 
degrades gracefully. 

4.4. 1 Two-Tier Heuristic (HI ) 

As a quick test, we tried the simple heuristic shown in Alg.3. 
It operates in two separate steps. In the first step, it assigns 
all filters optimally to the attackers-tier only. This may 
require f* tt > F. In the second step, we try to correct that 
by filtering out (thus releasing filters) the gateways with the 
least amount of good traffic. 

This heuristic is a very simple, two-step heuristic, which 
performed reasonably for the scenarios we tried. Clearly, 
there is much room for improvement and fine tuning, and 
this is the direction we are currently working on. 

In this section we present some preliminary simulations of 



16 In particular, we increase the number of nodes at attackers 
tier and we assume that each node emits both good and bad 
traffic. 



Algorithm 3 Multi-tier Heuristic 
1: Assign niters optimally at attacks' single tier. /* This 
may require a number of filters fatt larger than the avail- 
able F* I 

2: Order gateways in decreasing amount of good traffic G. 

3: Allow gateways in a greedy way, i.e. from larger to 
smaller G, until you reach the maximum number of 
available filters F (Keep the filter assignment at their 
attackers as assigned at the first step.). 

4: Filter out all remaining gateways. 
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Figure 13: Modified Zombie scenario to reflect si- 
multaneous increase in attack traffic (DDoS) as well 
as in legitimate traffic (Flash Crowd). 

heuristics. The heuristic is simulated for the same scenar- 
ios we looked at for the optimal solution. In Fig. 13, we 
presented the scenario for the combined zombie and flash 
crowd scenario. Together with the optimal solutions, shown 
in solid lines, we also show the performance of the simple 
heuristic in dashed lines. The heuristic is within the bounds 
and relatively close to the optimal for 70 filters; however its 
performance degrades fast with decreasing number of filters. 

Given the low complexity of this simple heuristic, we are 
now able to simulate scenarios for a much larger number of 
attacks, which was prohibitively slow in simulation for the 
optimal solution. Fig. 14 shows the results for 1000-10000 
nodes for the combined DDos+fiash crowd scenario. Similar 
trends hold as we saw before: the performance degrades and 
the number of required filters vary at similar rates as before. 

The heuristic we explored is clearly preliminary and serve 
just as a proof of concept. We are currently working on im- 
proving the heuristic (i) based on the intuition we obtained 
from the structural properties of the optimal solution and 
(ii) taking into account the attack traffic distribution. 

5. CONCLUSION 

In this paper, we studied the problem of single-tier and two- 
tier filtering against a DDoS attack as a resource optimiza- 
tion problem. The purpose of filtering is to filter out indi- 
vidual attackers, or entire gateways, so as to maximize the 
amount of good traffic preserved, subject to constraints on 
the number of filters and the total available bandwidth. We 
formulated and solved the first problem as an optimization 
problem and showed the reduction to a well known knap- 
sack problem. For the second problem which is a nonlinear 
optimization problem with non-linear constraints we showed 



1.1 




1000 2000 3000 4000 5000 6000 7000 8000 9000 1000 

number of attackers (and legitimate users) 



Figure 14: Modified Zombie scenario for 
DDoS+Flash Crowd, for large number of nodes. 

how to solve it optimally in a dynamic programming frame- 
work and we simulated the optimal solution using realistic 
attack scenarios. We showed through simulations that the 
optimal filtering policy can bring significant improvement 
over any other policy in terms of preserved good traffic and 
number of filters used. We also developed a simple heuristic 
for the multi-tier scenario and showed that it performs well 
under realistic attack scenarios. During our simulation we 
have constructed models of a DDoS attack based on analysis 
of worm infection and showed that the optimal filtering can 
successfully mitigate such attack schemes. We are currently 
working on developing efficient heuristics to achieve near- 
optimal solution at lower complexity. We believe that filter 
optimization is both important, to enable DDoS mitigation 
with today's mechanisms, and an interesting problem in it- 
self. This work serves as a quantitative upper bound of using 
filtering mechanisms to mitigate DDoS because it uses the 
optimal policy to filter attack traffic. Such a quantitative 
study of filtering is missing from the DDoS literature and 
is an essential step towards successfully mitigating DDoS 
attacks. One downside of filtering is that although we as- 
sumed perfect attack detection which is ideal, sometimes 
even optimal filtering will incur collateral damage to legit- 
imate traffic. We are currently addressing the issue of im- 
perfect attack identification and evaluating the performance 
of optimal filtering under such conditions. 
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